Mangling TOS, or Precedence/SecurityOpts/Compartment?

Fri, 28 Oct 2005 16:24:49 -0700 

Hi there,

We are running a set of three systems for semiconductor technology, and
would like to finalize our work in getting them to interoperate properly,
but have run into some issues that touch on the very fabric of TCP/IP
expertise, but iptables has already been used to solve "part of this",
read on:

The three systems consist of:
System #1:
Chip fabrication tool running std. TCP Server, using port 5000

System #2:
Controller machine,  running standard TCP Client, using port 5000

System #3:
Invisible Analysis machine running Fedora Core 4, and analysis software

To see the drawing:
http://www.klxsystems.net/pics/Analysis.html

The Tool Server and the Controller Machine typically only communicate
with one another over a standard tcp connection, in single mode.

For the purposes of analysis, a third Invisible Analysis machine is
placed between Systems #1 and 2, and is cabled as shown in Figure 1, it
has two Ethernet ports, and in general acts like a bridge in that it
possesses a Bypass Card, which allows the Tool Server and the Controller
Machine to pass traffic through its two Ethernet ports.

One of the features of the Bypass card it contains, is that it physically
shunts the copper Ethernet connections together when, say, power is cut.

It runs in an unshunted format when conducting Analysis, and shunts
the copper back together when it hangs up  Its purpose is to sit
BETWEEN the Tool and Controller machines, and intercept data they are
exchanging, for analysis used to effect better performance, and then hang
up by shunting the connection, and thus allowing the two main machines
(Tool/Controller) to keep talking as they were prior to the analysis
machine intervening.

Our problem:

We need to seamlessly start and stop the second TCP Client connection the
Analysis machine invisibly creates/ terminates.

The issue has been one of TCP/IP sequence numbers, how to get them to
stay the same, and not drop the connection per RFC 798.  Using dsniff
or other sequence number guessing isnt an option.

One option for part of this might be to use PF rules to allow a change of
the source ip address of the packets going from the analysis machine
towards the tool server.

Or to change the precedence/securityopts/compartment fields by using PF
as well.

(I posted to the PF list to ask about the details of commands/ flags/
features, but some of this is beyond PF) -is there diffserv/iproute
functionality that would help with the below question from an openbsd
networking standpoint?

Perhaps it's yet another list someone might know of, or one of the gods
here will have some input from on high.

Question: how do we get the Analysis machine to invisibly connect, and
disconnect, without violating RFC 798?

There are several RFCs that point to Differentiated Service field
manipulations, using tools like iproute2, but those never went into ways
to actually MODIFY the Precedence, Security Option, and/or Compartment
fields in an IP header from what we could tell.

The RFC that led us to this information stated:

With the advent of DiffServ, intermediate nodes may modify the
Differentiated Services Codepoint (DSCP) [RFC2474] of the IP header to
indicate the desired Per-hop Behavior (PHB) [RFC2475, RFC2597,
RFC2598]. The DSCP includes the three bits formerly known as the
precedence field.  Because any modification to those three bits will be
considered illegal by endpoints that are precedence-aware, they may cause
failures in establishing connections, or may cause
established connections to be reset.

Any suggestions if iproute, iptables, or other technologies would
facilitate this complex type of transaction?

We understand that modifying the TOS can be done at the application level,
as stated by RFC 2873, but these other fields, its still vague as to what
we can utilize.

-karlski

Reply via email to